Game Vuln Possibility ? - Urbanterror

is this related to the ioquake3 vulns? ,please comment ,should these files be accessed by Urbanterror?.

Setup some audit logs to see what was going on,see logs below .

Whilst playing files such as tcpdump ,firefox,& /etc/passwd are being accessed ,and denied ,but access request is via the urbanterror application appears to be piped through nvidiactl .

This occurs on some servers ,not all ,and there seems to be some chat in regards to these activities .

Thought this had been corrected ?,no guru but these files shouldnt be accessed by the UT executable,one slip on an unpatched system and Valla ,root access via the app,looks like smurfing was attempted.

Re: Game Vuln Possibility ? - Urbanterror

It looks like the Firefox events are actually being caused by Firefox itself, so that's a separate issue. My guess is it has something to do with the hardware acceleration feature. That can be disabled in Preferences under Advanced, General tab, then in the Browsing section. I would suggest that you uncheck that box and run Firefox again, then check the same logs to see if the apparmor events go away.

The other application I'm not sure about.

EDIT: I just noticed that the UrbanTerror is located in the Downloads folder. Is it not actually installed? Where was it downloaded from?

Re: Game Vuln Possibility ? - Urbanterror

As the poster above me stated Firefox graphical acceleration is what's causing the majority of these.

The issue with Urban Terror trying to access /etc/passwd is because Urban Terror locks the passwd file at run time, it will retry if it fails (like if Apparmor is not allowing it).

/etc/passwd is world readable and accessible to most applications, it is not odd to see them attempting to access it. As far as smurfing, not sure where you are determining from that log that a denial of service of that nature is being attempted, as it is an Apparmor audit log and a smurf attack does not attempt to access objects on the disk. It instead attempts to send surrupticious amounts of ICMP echo requests to the target (hence it's nickname the ping of death).

It is easy enough to deny that traffic if you are seeing it.

Code:

sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP

In this case I think the root cause of the logs is quite simply a misconfigured apparmor profile.

Re: Game Vuln Possibility ? - Urbanterror

I will also try the settings recommended by OpSecShellshock for graphics control .

Downloaded from Urban Terror site mirror .

The ddos seemed to be caused in the game and network bandwidth being swallowed along with
file access ,the firefox bit sent things off on a tangent i suppose.

Sorry i had grepped the logs,and there is some concatenation ,firefox libs are called by the game
exe Urbanterror,i dont have original logs at the very present,i will post when i get back to that machine.

So its possible with firefox not loaded that the game exe would need to access it or is it some form
of game nvid control combined with firefox ?.

I did have the logs where tcpdump was accessed while playing ,and was successfully accessed.

I should also add that severe traffic interruption was experienced ,before i changed the apparmour config for the executable.

The gents who originally located the vuln in quake3 say it does look like the vuln they found 5 years ago,
bugtraq/2006-05/msg00168.html

I have had people say they have accessed the file system under the user group playing the game ,via a console .
& BTW I'am not running as root or su group,this is strange as this a udp game (socks disabled) ,unless there is some code
in it that opens ,but normal net utils arent showing any tcp sockets.

Thanks for the suggestions .

Last edited by tuxinteger; February 1st, 2012 at 03:44 PM.
Reason: errors -2 many cups of coffee